Bug 54307 - Boolean attributes cannot be synced with the ID-Connector
Boolean attributes cannot be synced with the ID-Connector
Product: UCS@school
Classification: Unclassified
Component: ucsschool-id-connector
UCS@school 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Tobias Wenzel
Johannes Keiser
Depends on: 54773
  Show dependency treegraph
Reported: 2022-01-06 17:29 CET by Jan-Luca Kiok
Modified: 2023-03-30 11:24 CEST (History)
9 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022050321000557, 2022061521000489
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Jan-Luca Kiok univentionstaff 2022-01-06 17:29:24 CET
While trying to sync boolean attributes with the ID-Connector an error is returned by the receiving Kelvin-API:

Kelvin REST API returned status 400, reason 'Bad Request' (Unprocessable Entity: {'pwdChangeNextLogin': 'The property pwdChangeNextLogin has an invalid value: Value must be of type boolean not unicode.'} for PUT 'https://schulcloud.intranet/ucsschool/kelvin/v1/users/testuser'.
Comment 1 Daniel Tröder univentionstaff 2022-01-07 08:38:46 CET
Probably a problem in the data chain:

The Appcenter Listener Converter writes a string value into the JSON that the ID Connector uses. The UDM REST API expects a boolean.
(The error message from Kelvin is just a forwarded error from the UDM REST API.)

The problem would then be, that the Appcenter Listener Converter uses a different interface (UDM basic -> all strings) than the Docker container apps use (UDM REST API -> typed values).

If this hypothesis is verified, a discussion/bug should be opened to change the Appcenter Listener Converter.
Comment 2 Jan-Luca Kiok univentionstaff 2022-01-07 13:02:37 CET
For completeness:

Manual creation with 'udm_properties": {"pwdChangeNextLogin": true}' does work, so the problem occurs indeed in the data chain.

This is the corresponding UDM REST API log:

06.01.22 17:19:07.799  ADMIN       ( WARN    ) : u'pwdChangeNextLogin': Value=u'1' 'BooleanType'
WARNING:tornado.access:422 PATCH /udm/users/user/uid=testuser,cn=lehrer,cn=users,ou=SchuleA,dc=schulcloud,dc=intranet ( 25.24ms
06.01.22 17:19:07     WARNING      (    19403) : 422 PATCH /udm/users/user/uid=testuser,cn=lehrer,cn=users,ou=SchuleA,dc=schulcloud,dc=intranet ( 23.52ms

Upon looking into the out queue your assumption looks plausible:

    "action": "add_mod",
    "dn": "uid=testuser,cn=lehrer,cn=users,ou=SchuleA,dc=mydomain,dc=intranet",
    "object": {
        "pwdChangeNextLogin": "1",

Is this sufficient to file a bug against the Listener Converter?
Comment 4 Daniel Tröder univentionstaff 2022-01-11 15:48:36 CET
A customer plugin can resolve the issue:

Add a method like _handle_attr_disabled() [1] to a plugin class derived from the Kelvin plugin [2].

The code of the plugin should be similar to:

class MyKelvinPerSAUserDispatcher(KelvinPerSAUserDispatcher):
    async def _handle_attr_MY_PROPERTY(obj: ListenerUserAddModifyObject) -> bool:
        """Pass on state of 'MY_PROPERTY'."""
        return obj.object["MY_PROPERTY"] == "1"

class MyKelvinUserDispatcher(UserDispatcherPluginBase):
    Send current state of user to target system (school authority).

    Each out queue has its own :py:class:`KelvinPerSAUserDispatcher` instance
    which handles user data for the queues school authority.

    plugin_name = "my-kelvin"
    per_s_a_handler_class = MyKelvinPerSAUserDispatcher

class MyKelvinHandler(KelvinHandler):
    plugin_name = "MY-kelvin"

    def __init__(self):
        self.user_handler = MyKelvinUserDispatcher()

plugin_manager.register(MyKelvinHandler(), MyKelvinHandler.plugin_name)

Install that file in /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/plugins/plugins/ and use in the connector configuration "my-kelvin" instead of "kelvin".

[1] https://git.knut.univention.de/univention/components/ucsschool-id-connector/-/blob/master/src/plugins/packages/ucsschool_id_connector_defaults/user_handler_base.py#L223
[2] https://git.knut.univention.de/univention/components/ucsschool-id-connector/-/blob/master/src/plugins/plugins/kelvin_handlers.py
Comment 5 Daniel Tröder univentionstaff 2022-01-11 15:52:17 CET
A better solution would be to add a feature to the ID Connector that lets customers add mapping functions like "_handle_attr_MY_PROPERTY()" without the need to create their own plugin with three subclasses.
Comment 10 Anne Hanekop univentionstaff 2022-05-03 16:35:10 CEST
Added additional information and set Waiting Support together with Dirk Schnick.
Comment 13 Jan-Luca Kiok univentionstaff 2022-06-15 15:58:19 CEST
This workaround does not work for us anymore in production and since today in our test environment! Since upgrading to UCS 5 no school authorities are gathered: "Ignoring object without current or previous school authority entries".
Comment 16 Dirk Schnick univentionstaff 2022-06-16 10:06:27 CEST
New ticket added another customer escalated the problem yesterday.
Comment 17 Daniel Tröder univentionstaff 2022-07-06 11:31:18 CEST
A patch for the Appcenter exists in Bug 54773, that will add typed UDM properties to the JSON that is dumped into Docker containers.

The bug has to be discussed with and implemented by the Appcenter team.
Comment 18 Tobias Wenzel univentionstaff 2023-03-29 13:03:50 CEST
The bug was fixed & qa't in gitlab.

The id-connector version 2.2.5 will only be available for 5.0

Comment 19 Tobias Wenzel univentionstaff 2023-03-30 11:20:09 CEST
Version 2.2.5 was released -> verify
Comment 20 Tobias Wenzel univentionstaff 2023-03-30 11:24:43 CEST
Updates for UCS@school ID Connector 2.2.5 have been released.


If this error occurs again, please clone this bug.